security-profiles-operator

module

v0.4.3 Latest Latest Go to latest Published: Jun 7, 2022 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes-sigs/security-profiles-operator

Links

Open Source Insights

README ¶

Kubernetes Security Profiles Operator

This project is the starting point for the Security Profiles Operator (SPO), an out-of-tree Kubernetes enhancement which aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters.

About

The motivation behind the project can be found in the corresponding RFC.

Related Kubernetes Enhancement Proposals (KEPs) which have direct influence on this project:

Next to those KEPs, here are existing approaches for security profiles in the Kubernetes world:

Features

The SPO's features are implemented for each one of the underlying supported technologies, namely: Seccomp, SELinux and AppArmor. Here's the feature parity status across them:

	Seccomp	SELinux	AppArmor
Profile CRD	Yes	Yes	Yes
ProfileBinding	Yes	No	No
Deploy profiles into nodes	Yes	Yes	WIP
Remove profiles no longer in use	Yes	Yes	WIP
Profile Auto-generation (logs)	Yes	WIP	No
Profile Auto-generation (ebpf)	Yes	No	No
Audit log enrichment	Yes	WIP	Yes

For information about the security model and what permissions each features requires, refer to SPO's security model.

Personas & User Stories

As any other piece of software, this operator is meant to help people. Thus, the target personas have been reflected in a document in this repo.

The functionality that this operator is meant to enable is captured as user stories. If you feel that a user story is not captured properly, feel free to submit a Pull Request. The team will be more than happy to review and help you reflect the requirement.

Roadmap

The project tries to not overlap with those existing implementations to provide valuable additions in a more secure Kubernetes context. We created a mind map to get a better feeling about all features we want to implement to better support some security areas within Kubernetes:

mind-map

Going forwards, the operator will extend its purpose to assist Kubernetes users to create, distribute and apply security profiles for seccomp, AppArmor, SeLinux, PodSecurityPolicies and RBAC permissions.

Community, discussion, contribution, and support

If you're interested in contributing to SPO, please see the developer focused document

We schedule a monthly meeting every last Thursday of a month.

Meeting Notes

Learn how to engage with the Kubernetes community on the community page.

You can reach the maintainers of this project at:

Code of conduct

Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.

Directories ¶

Path	Synopsis
api
apparmorprofile/v1alpha1 Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io	Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
grpc/bpfrecorder
grpc/enricher
grpc/metrics
profilebase/v1alpha1
profilebinding/v1alpha1 Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io	Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
profilerecording/v1alpha1 Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io	Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
seccompprofile/v1beta1 Package v1beta1 contains API Schema definitions for the security-profiles-operator v1beta1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io	Package v1beta1 contains API Schema definitions for the security-profiles-operator v1beta1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
secprofnodestatus/v1alpha1 Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io	Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
selinuxprofile/v1alpha2 Package v1alpha2 contains API Schema definitions for the security-profiles-operator v1alpha2 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io	Package v1alpha2 contains API Schema definitions for the security-profiles-operator v1alpha2 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
spod/v1alpha1 Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io	Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
cmd
security-profiles-operator
internal
pkg/atomic
pkg/config
pkg/controller
pkg/daemon/apparmorprofile
pkg/daemon/bpfrecorder
pkg/daemon/bpfrecorder/bpfrecorderfakes Code generated by counterfeiter.	Code generated by counterfeiter.
pkg/daemon/bpfrecorder/generate
pkg/daemon/bpfrecorder/types
pkg/daemon/common
pkg/daemon/enricher
pkg/daemon/enricher/enricherfakes Code generated by counterfeiter.	Code generated by counterfeiter.
pkg/daemon/metrics
pkg/daemon/metrics/metricsfakes Code generated by counterfeiter.	Code generated by counterfeiter.
pkg/daemon/profilerecorder
pkg/daemon/profilerecorder/profilerecorderfakes Code generated by counterfeiter.	Code generated by counterfeiter.
pkg/daemon/seccompprofile
pkg/daemon/selinuxprofile
pkg/manager/nodestatus
pkg/manager/spod
pkg/manager/spod/bindata
pkg/manager/workloadannotator
pkg/nodestatus
pkg/nonrootenabler
pkg/nonrootenabler/nonrootenablerfakes Code generated by counterfeiter.	Code generated by counterfeiter.
pkg/translator
pkg/util
pkg/version
pkg/webhooks/binding
pkg/webhooks/binding/bindingfakes Code generated by counterfeiter.	Code generated by counterfeiter.
pkg/webhooks/recording
pkg/webhooks/recording/recordingfakes Code generated by counterfeiter.	Code generated by counterfeiter.
pkg/webhooks/utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL